Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.
LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. No public exploit code or active exploitation has been identified; SSVC rates it non-automatable with partial technical impact.
Insufficient OAuth token revocation in Rocket.Chat allows deactivated user accounts to maintain persistent, unauthorized access to the platform. Affected versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 fail to invalidate bearer or refresh tokens upon account deactivation, meaning a deactivated user can continue accessing resources with an existing bearer token or mint entirely new bearer tokens from a retained refresh token. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the post-deactivation access window is unbounded unless tokens naturally expire.
Insufficient session expiration in Rocket.Chat allows users administratively deactivated via the users.deactivateIdle mechanism to continue accessing authenticated REST API endpoints using previously-issued login tokens that were never invalidated. All Rocket.Chat deployments across the 7.x and 8.x release branches prior to the fixed versions are affected. No public exploit has been identified and the CVSS 4.0 score of 2.3 reflects genuinely low real-world risk given high attack complexity, limited impact, and the requirement for a specific idle-deactivation administrative workflow.
Insufficient session expiration in Apache Shiro's RememberMe feature allows a stolen cookie to be replayed indefinitely, bypassing the configured cookie age restriction. All shiro-web deployments from version 1.2.4 through the entire 2.x line and the 3.0.0-alpha-1 pre-release are affected whenever RememberMe is enabled. An attacker who intercepts a victim's RememberMe cookie - through network interception, XSS, or similar means - can reuse it without time limit, effectively maintaining persistent unauthorized access to the victim's session even after the configured expiration has elapsed. No public exploit code or CISA KEV listing has been identified at time of analysis.
Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.
Stored XSS in the AWS API key store component of Thinkst Applied Research Canarytokens allows a low-privileged attacker who knows a token's random identifier to inject persistent malicious scripts that execute in a victim's browser when they view the affected token page. Exploitation is constrained by high attack complexity (AC:H), a prerequisite attack requirement (knowledge of a random identifier), low-privilege authentication, and active user interaction - reflected in an extremely low CVSS 4.0 base score of 1.1. No active exploitation is confirmed; however, the CVSS 4.0 vector includes E:P, indicating proof-of-concept exploit code exists.